Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   MySQL's LOAD DATA INFILE statement (http://www.linux-archive.org/fedora-selinux-support/618238-mysqls-load-data-infile-statement.html)

"Marcio B. Jr." 01-07-2012 04:26 AM

MySQL's LOAD DATA INFILE statement
 
Hi,
I'm incurring some problems with MySQL and SELinux, and I need help.

Running a 64-bit Fedora 12 with mysql-server-5.1.47-2.fc12.x86_64.

$ ps -eZ | grep mysqld
system_u:system_r:mysqld_safe_t:s0 1321 ? 00:00:00 mysqld_safe
system_u:system_r:mysqld_t:s0 1410 ? 00:00:01 mysqld

My problem is:
it is only possible to use "LOAD DATA INFILE" statement if SELinux is
in its permissive state.

Strangely, logs below show no avc denial (all I can tell from them is
Chinese tried to break into, and last line probably refers to when I
added mysql user to some group I created). But statement won't work in
enforcing state. Nothing gives me any tip concerning the referred
MySQL statement issue.

# cat /var/log/audit/audit.log | grep mysql
type=USER_LOGIN msg=audit(1305401554.802:34): user pid=2229 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login
acct="mysql" exe="/usr/sbin/sshd" hostname=? addr=218.241.236.69
terminal=sshd res=failed'
type=USER_LOGIN msg=audit(1305401556.759:36): user pid=2229 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login
acct="mysql" exe="/usr/sbin/sshd" hostname=? addr=218.241.236.69
terminal=sshd res=failed'
type=USER_LOGIN msg=audit(1305404558.850:1653): user pid=3709 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login
acct="mysql" exe="/usr/sbin/sshd" hostname=? addr=218.241.236.69
terminal=sshd res=failed'
type=USER_LOGIN msg=audit(1305404560.536:1655): user pid=3709 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login
acct="mysql" exe="/usr/sbin/sshd" hostname=? addr=218.241.236.69
terminal=sshd res=failed'
type=USER_LOGIN msg=audit(1305404563.834:1656): user pid=3711 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login
acct="mysql" exe="/usr/sbin/sshd" hostname=? addr=218.241.236.69
terminal=sshd res=failed'
type=USER_LOGIN msg=audit(1305404566.207:1658): user pid=3711 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login
acct="mysql" exe="/usr/sbin/sshd" hostname=? addr=218.241.236.69
terminal=sshd res=failed'
type=ADD_GROUP msg=audit(1322849937.081:18): user pid=1989 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding group
acct="mysql" exe="/usr/sbin/useradd" hostname=? addr=? terminal=?
res=success'

Firstly, where could that avc denial be in?

And, well, I want to keep SELinux enforcing its policies, except for
what is needed in order to make "LOAD DATA INFILE" work.

So, what would be the proper way to achieve that?


Marcio Barbado, Jr.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Dominick Grift 01-07-2012 10:01 AM

MySQL's LOAD DATA INFILE statement
 
On Sat, 2012-01-07 at 02:26 -0300, Marcio B. Jr. wrote:
> Hi,
> I'm incurring some problems with MySQL and SELinux, and I need help.
>
> Running a 64-bit Fedora 12 with mysql-server-5.1.47-2.fc12.x86_64.
>
> $ ps -eZ | grep mysqld
> system_u:system_r:mysqld_safe_t:s0 1321 ? 00:00:00 mysqld_safe
> system_u:system_r:mysqld_t:s0 1410 ? 00:00:01 mysqld
>
> My problem is:
> it is only possible to use "LOAD DATA INFILE" statement if SELinux is
> in its permissive state.

This event may have been silently denied.
To reproduce the issue and expose silent denials:

run: semodule -DB
reproduce the issue
see if there is now an AVC denial displayed that is related to your
issue
run: semodule -B


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

"Marcio B. Jr." 01-09-2012 03:39 AM

MySQL's LOAD DATA INFILE statement
 
Hi Dominick, thanks for answering.

This is a really unusual situation. So far I cannot explain why but
after re-enabling enforcement for more tests, statement happened to
work just as it did with permissive state.

I've used "semodule -DB" and reproduced issue in both states. Still no
logs. Testing will continue.


Regards,



On Sat, Jan 7, 2012 at 8:01 AM, Dominick Grift <dominick.grift@gmail.com> wrote:
> On Sat, 2012-01-07 at 02:26 -0300, Marcio B. Jr. wrote:
>> Hi,
>> I'm incurring some problems with MySQL and SELinux, and I need help.
>>
>> Running a 64-bit Fedora 12 with mysql-server-5.1.47-2.fc12.x86_64.
>>
>> $ ps -eZ | grep mysqld
>> system_u:system_r:mysqld_safe_t:s0 1321 ? * * *00:00:00 mysqld_safe
>> system_u:system_r:mysqld_t:s0 * *1410 ? * * * *00:00:01 mysqld
>>
>> My problem is:
>> it is only possible to use "LOAD DATA INFILE" statement if SELinux is
>> in its permissive state.
>
> This event may have been silently denied.
> To reproduce the issue and expose silent denials:
>
> run: semodule -DB
> reproduce the issue
> see if there is now an AVC denial displayed that is related to your
> issue
> run: semodule -B
>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux



Marcio Barbado, Jr.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Miroslav Grepl 01-09-2012 09:17 AM

MySQL's LOAD DATA INFILE statement
 
On 01/09/2012 04:39 AM, Marcio B. Jr. wrote:

Hi Dominick, thanks for answering.

This is a really unusual situation. So far I cannot explain why but
after re-enabling enforcement for more tests, statement happened to
work just as it did with permissive state.

I've used "semodule -DB" and reproduced issue in both states. Still no
logs. Testing will continue.


Regards,



Make sure auditd is running.

# service auditd status

You should see AVC msgs in /var/log/audit/audit.log or you can use the
ausearch tool


# ausearch -m avc -ts recent



Also you should use a newer version of Fedora which is supported
(Fedora15+).

On Sat, Jan 7, 2012 at 8:01 AM, Dominick Grift<dominick.grift@gmail.com> wrote:

On Sat, 2012-01-07 at 02:26 -0300, Marcio B. Jr. wrote:

Hi,
I'm incurring some problems with MySQL and SELinux, and I need help.

Running a 64-bit Fedora 12 with mysql-server-5.1.47-2.fc12.x86_64.

$ ps -eZ | grep mysqld
system_u:system_r:mysqld_safe_t:s0 1321 ? 00:00:00 mysqld_safe
system_u:system_r:mysqld_t:s0 1410 ? 00:00:01 mysqld

My problem is:
it is only possible to use "LOAD DATA INFILE" statement if SELinux is
in its permissive state.

This event may have been silently denied.
To reproduce the issue and expose silent denials:

run: semodule -DB
reproduce the issue
see if there is now an AVC denial displayed that is related to your
issue
run: semodule -B


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux



Marcio Barbado, Jr.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Daniel J Walsh 01-09-2012 04:17 PM

MySQL's LOAD DATA INFILE statement
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/07/2012 12:26 AM, Marcio B. Jr. wrote:
> Hi, I'm incurring some problems with MySQL and SELinux, and I need
> help.
>
> Running a 64-bit Fedora 12 with mysql-server-5.1.47-2.fc12.x86_64.
>
> $ ps -eZ | grep mysqld system_u:system_r:mysqld_safe_t:s0 1321 ?
> 00:00:00 mysqld_safe system_u:system_r:mysqld_t:s0 1410 ?
> 00:00:01 mysqld
>
> My problem is: it is only possible to use "LOAD DATA INFILE"
> statement if SELinux is in its permissive state.
>
> Strangely, logs below show no avc denial (all I can tell from them
> is Chinese tried to break into, and last line probably refers to
> when I added mysql user to some group I created). But statement
> won't work in enforcing state. Nothing gives me any tip concerning
> the referred MySQL statement issue.
>
> # cat /var/log/audit/audit.log | grep mysql type=USER_LOGIN
> msg=audit(1305401554.802:34): user pid=2229 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> msg='op=login acct="mysql" exe="/usr/sbin/sshd" hostname=?
> addr=218.241.236.69 terminal=sshd res=failed' type=USER_LOGIN
> msg=audit(1305401556.759:36): user pid=2229 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> msg='op=login acct="mysql" exe="/usr/sbin/sshd" hostname=?
> addr=218.241.236.69 terminal=sshd res=failed' type=USER_LOGIN
> msg=audit(1305404558.850:1653): user pid=3709 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> msg='op=login acct="mysql" exe="/usr/sbin/sshd" hostname=?
> addr=218.241.236.69 terminal=sshd res=failed' type=USER_LOGIN
> msg=audit(1305404560.536:1655): user pid=3709 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> msg='op=login acct="mysql" exe="/usr/sbin/sshd" hostname=?
> addr=218.241.236.69 terminal=sshd res=failed' type=USER_LOGIN
> msg=audit(1305404563.834:1656): user pid=3711 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> msg='op=login acct="mysql" exe="/usr/sbin/sshd" hostname=?
> addr=218.241.236.69 terminal=sshd res=failed' type=USER_LOGIN
> msg=audit(1305404566.207:1658): user pid=3711 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> msg='op=login acct="mysql" exe="/usr/sbin/sshd" hostname=?
> addr=218.241.236.69 terminal=sshd res=failed' type=ADD_GROUP
> msg=audit(1322849937.081:18): user pid=1989 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:useradd_t:s0-s0:c0.c1023
> msg='op=adding group acct="mysql" exe="/usr/sbin/useradd"
> hostname=? addr=? terminal=? res=success'
>
> Firstly, where could that avc denial be in?
>
> And, well, I want to keep SELinux enforcing its policies, except
> for what is needed in order to make "LOAD DATA INFILE" work.
>
> So, what would be the proper way to achieve that?
>
>
> Marcio Barbado, Jr. -- selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>



Please update to a supported OS, F15 or 16. 12 is way out of date.
Nothing in your log indicates SELinux is blocking anything.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8LISQACgkQrlYvE4MpobNWuACgli4K9/DQnQ7rCrw4qblL1jty
vvIAnAyQ4YEW1kbHU0j+MWCXao5ggBvR
=Bbnw
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 07:12 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.